1. Patchew
  2. QEMU
  3. View series

[PATCH v2] hw/misc/bcm2835_thermal: Fix access size handling in bcm2835_thermal_ops

Zheyu Ma posted 1 patch 1 year, 7 months ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20240702154042.3018932-1-zheyuma97@gmail.com
Maintainers: Peter Maydell <peter.maydell@linaro.org>, "Philippe Mathieu-Daudé" <philmd@linaro.org>
hw/misc/bcm2835_thermal.c | 2 ++
1 file changed, 2 insertions(+)
[PATCH v2] hw/misc/bcm2835_thermal: Fix access size handling in bcm2835_thermal_ops
Posted by Zheyu Ma 1 year, 7 months ago 
The current implementation of bcm2835_thermal_ops sets
impl.max_access_size and valid.min_access_size to 4, but leaves
impl.min_access_size and valid.max_access_size unset, defaulting to 1.
This causes issues when the memory system is presented with an access
of size 2 at an offset of 3, leading to an attempt to synthesize it as
a pair of byte accesses at offsets 3 and 4, which trips an assert.

Additionally, the lack of valid.max_access_size setting causes another
issue: the memory system tries to synthesize a read using a 4-byte
access at offset 3 even though the device doesn't allow unaligned
accesses.

This patch addresses these issues by explicitly setting both
impl.min_access_size and valid.max_access_size to 4, ensuring proper
handling of access sizes.

Error log:
ERROR:hw/misc/bcm2835_thermal.c:55:bcm2835_thermal_read: code should not be reached
Bail out! ERROR:hw/misc/bcm2835_thermal.c:55:bcm2835_thermal_read: code should not be reached
Aborted

Reproducer:
cat << EOF | qemu-system-aarch64 -display \
none -machine accel=qtest, -m 512M -machine raspi3b -m 1G -qtest stdio
readw 0x3f212003
EOF

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
---
Changes in v2:
- Added .valid.min_access_size and .valid.max_access_size settings
  to ensure proper handling of valid access sizes.
---
 hw/misc/bcm2835_thermal.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/misc/bcm2835_thermal.c b/hw/misc/bcm2835_thermal.c
index ee7816b8a5..0c49c088a7 100644
--- a/hw/misc/bcm2835_thermal.c
+++ b/hw/misc/bcm2835_thermal.c
@@ -80,8 +80,10 @@ static void bcm2835_thermal_write(void *opaque, hwaddr addr,
 static const MemoryRegionOps bcm2835_thermal_ops = {
     .read = bcm2835_thermal_read,
     .write = bcm2835_thermal_write,
+    .impl.min_access_size = 4,
     .impl.max_access_size = 4,
     .valid.min_access_size = 4,
+    .valid.max_access_size = 4,
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
-- 
2.34.1
Re: [PATCH v2] hw/misc/bcm2835_thermal: Fix access size handling in bcm2835_thermal_ops
Posted by Peter Maydell 1 year, 7 months ago 
On Tue, 2 Jul 2024 at 16:41, Zheyu Ma <zheyuma97@gmail.com> wrote:
>
> The current implementation of bcm2835_thermal_ops sets
> impl.max_access_size and valid.min_access_size to 4, but leaves
> impl.min_access_size and valid.max_access_size unset, defaulting to 1.
> This causes issues when the memory system is presented with an access
> of size 2 at an offset of 3, leading to an attempt to synthesize it as
> a pair of byte accesses at offsets 3 and 4, which trips an assert.
>
> Additionally, the lack of valid.max_access_size setting causes another
> issue: the memory system tries to synthesize a read using a 4-byte
> access at offset 3 even though the device doesn't allow unaligned
> accesses.
>
> This patch addresses these issues by explicitly setting both
> impl.min_access_size and valid.max_access_size to 4, ensuring proper
> handling of access sizes.
>
> Error log:
> ERROR:hw/misc/bcm2835_thermal.c:55:bcm2835_thermal_read: code should not be reached
> Bail out! ERROR:hw/misc/bcm2835_thermal.c:55:bcm2835_thermal_read: code should not be reached
> Aborted
>
> Reproducer:
> cat << EOF | qemu-system-aarch64 -display \
> none -machine accel=qtest, -m 512M -machine raspi3b -m 1G -qtest stdio
> readw 0x3f212003
> EOF
>
> Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
> ---



Applied to target-arm.next, thanks.

-- PMM
Re: [PATCH v2] hw/misc/bcm2835_thermal: Fix access size handling in bcm2835_thermal_ops
Posted by Philippe Mathieu-Daudé 1 year, 7 months ago 
On 2/7/24 17:40, Zheyu Ma wrote:
> The current implementation of bcm2835_thermal_ops sets
> impl.max_access_size and valid.min_access_size to 4, but leaves
> impl.min_access_size and valid.max_access_size unset, defaulting to 1.
> This causes issues when the memory system is presented with an access
> of size 2 at an offset of 3, leading to an attempt to synthesize it as
> a pair of byte accesses at offsets 3 and 4, which trips an assert.
> 
> Additionally, the lack of valid.max_access_size setting causes another
> issue: the memory system tries to synthesize a read using a 4-byte
> access at offset 3 even though the device doesn't allow unaligned
> accesses.
> 
> This patch addresses these issues by explicitly setting both
> impl.min_access_size and valid.max_access_size to 4, ensuring proper
> handling of access sizes.
> 
> Error log:
> ERROR:hw/misc/bcm2835_thermal.c:55:bcm2835_thermal_read: code should not be reached
> Bail out! ERROR:hw/misc/bcm2835_thermal.c:55:bcm2835_thermal_read: code should not be reached
> Aborted
> 
> Reproducer:
> cat << EOF | qemu-system-aarch64 -display \
> none -machine accel=qtest, -m 512M -machine raspi3b -m 1G -qtest stdio
> readw 0x3f212003
> EOF
> 

Suggested-by: Peter Maydell <peter.maydell@linaro.org>

> Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
> ---
> Changes in v2:
> - Added .valid.min_access_size and .valid.max_access_size settings
>    to ensure proper handling of valid access sizes.
> ---
>   hw/misc/bcm2835_thermal.c | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/hw/misc/bcm2835_thermal.c b/hw/misc/bcm2835_thermal.c
> index ee7816b8a5..0c49c088a7 100644
> --- a/hw/misc/bcm2835_thermal.c
> +++ b/hw/misc/bcm2835_thermal.c
> @@ -80,8 +80,10 @@ static void bcm2835_thermal_write(void *opaque, hwaddr addr,
>   static const MemoryRegionOps bcm2835_thermal_ops = {
>       .read = bcm2835_thermal_read,
>       .write = bcm2835_thermal_write,
> +    .impl.min_access_size = 4,

Personally I consider accepting access of

   .valid.min_access_size > .impl.min_access_size

as a bug in the memory core layer, whether being
unaligned or not.

>       .impl.max_access_size = 4,
>       .valid.min_access_size = 4,
> +    .valid.max_access_size = 4,
>       .endianness = DEVICE_NATIVE_ENDIAN,
>   };
>
Re: [PATCH v2] hw/misc/bcm2835_thermal: Fix access size handling in bcm2835_thermal_ops
Posted by Peter Maydell 1 year, 7 months ago 
On Tue, 2 Jul 2024 at 16:50, Philippe Mathieu-Daudé <philmd@linaro.org> wrote:
> Personally I consider accepting access of
>
>    .valid.min_access_size > .impl.min_access_size
>
> as a bug in the memory core layer, whether being
> unaligned or not.

Mmm. You could make an argument for
  .valid: min_access_size = 4, unaligned = true
  .impl.min_access_size = 1, unaligned = false

meaning "accesses must be 32 bits, and if the guest
makes an unaligned 32 bit access then you can
synthesize it with 4 byte reads/writes", I guess.
But whether we (a) get that right (b) use it anywhere
(c) use it anywhere intentionally is not something
I'd be very confident in asserting :-)

I definitely think that our "synthesize accesses
where valid and impl mismatch" code could use a
going-over, so we either get it right or assert if
the MemoryRegionOps ask for something we don't handle.
Maybe someday...

thanks
-- PMM

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.